Topics like ethics, community relations, cybersecurity, governance, supply chain, environmental impacts, safety, and sustainability that are ESG-related are also areas that internal auditors have already been focused on historically due to the risks they present for many organizations. ESG strategies often combine these topics under a single umbrella with a heightened element of stakeholder interest.

Internal auditors are able to assess processes to ensure that they are efficient and contain appropriate internal controls to mitigate relevant risks while ensuring regulatory compliance. Internal audit will also be vital in assessing the quality of the data that is collected, addressing one of the significant pain points within ESG strategy and reporting. Finally, these professionals will be able to independently confirm that ESG strategy aligns with the strategic goals of the organization and its stakeholders.

Common sense approach to ESG for internal auditors

ESG related risks and opportunities are not reserved for large multi-national corporations and government, they are just as relevant for smaller entities. Since internal audit resources are limited, challenges exist to assess and respond to all ESG-related risks. However, internal auditors can utilize existing frameworks, guidance, and tools that are available for risk management and sustainability such as COSO’s Applying Enterprise Risk Management to Environmental, Social and Governance-related Risks and COSO’s Achieving Effective Internal Control Over Sustainability Reporting (ICSR).

Specific internal audit functions in ESG

Internal auditors are key players in an ESG strategy.  Let’s examine some specific areas where they may be able to assist management and add value.

Risk and Internal Controls Assessment

Risk identification and assessment are core functions of internal audit, and though identifying ESG risks can be more challenging than traditional risks, it should be treated in the same way as any other entity risk. It should include not only the risks, but the opportunities to create, preserve, and realize real value for the organization. Sources of ESG risks can be identified through already existing tools like previous external/internal audits, surveys, media monitoring or existing risk inventory. If your organization does not already have an existing risk inventory, this is a great time for internal audit to create one. ESG risks can be difficult to predict but they can have potentially significant impacts or a longer lead time for those impacts to materialize.

Internal control assessments help to identify what ESG controls exist or may need to exist to mitigate the risks identified above.  Internal controls for ESG purposes can be related to reporting, information and data collection, the achievement of specific ESG goals and commitments, etc. An internal controls assessment of ESG controls can include an evaluation of the effectiveness of the control environment in achieving organizational goals and stakeholder interests.

Benchmarking

Internal audit often plays a valuable role in the benchmarking of data being captured across an organization or externally, across a common industry.  The benchmarking of and ESG program against an accepted maturity model will help define the organizations current state of ESG objectives versus a desired future state.

Regulatory Assessment

Where does your organization stand in relation to the evolving ESG regulatory landscape? Understanding the global state of play is a regular exercise for those with responsibilities in ESG reporting and compliance. A collaborative internal audit team can quickly help assess and report on ESG requirements across the globe, as well as local requirements that may be state specific within the U.S.

Assessment of data quality

Typically, an organization has a strong grasp on recurring financial data, but ESG reporting and strategy will require a great deal of non-financial (and much non-quantitative!) data that might not be as readily available and is likely unstructured.  Although internal audit may not own the financial and non-financial data used in many ESG metrics and disclosures, once the data collection process is evaluated, internal auditors can ensure that the data is both relevant and reliable.  The well-known concepts of accuracy and completeness apply to both financial and non-financial metrics.  Additional focus should be on whether data is replicable in a timely, consistent manner. Data quality should be assessed for and inclusive of both positive and negative metrics that need to be reported. What is the level of assurance on that data? How often is it collected? Who is collecting it and what is the process to collect the data?

Establishing governance and oversight for ESG

Governance in an organization provides the structures, oversight and culture needed to establish strategies and objectives related to ESG. Internal auditors can help map or define mandatory and voluntary ESG requirements and increase board awareness of any ESG related risks. They can provide recommendations to leadership to help embed and incorporate ESG ambitions into the culture and mission of the organization and recommend implementation of these priorities into hiring and talent acquisition.